Miggo Logo
Miggo Vulnerability Database
CVE-2019-19325

CVE-2019-19325: Reflected XSS in SilverStripe

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-19325
GHSA ID
GHSA-qvrv-2x7x-78x2
EPSS Score
0.57441%
CWE
CWE-78
Published
2/24/2020
Updated
2/6/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
silverstripe/frameworkcomposer>= 4.5.0, < 4.5.24.5.2
silverstripe/frameworkcomposer>= 4.0.0, < 4.4.54.4.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper HTML attribute sanitization in form rendering. The patch shows:

  1. In Form.php, attributes were previously only sanitized for values, not names. The fix applies Convert::raw2att to both.
  2. In FormField.php, non-scalar values were JSON-encoded without proper escaping, and attribute names weren't sanitized.
  3. The Convert class documentation updates warn about not escaping array keys, which aligns with the 'non-scalar attributes' mentioned in the CVE.
  4. Test cases validate XSS prevention through attribute escaping, confirming these methods were the attack surface.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Silv*rStrip* t*rou** *.*.x ***or* *.*.* *n* *.*.x ***or* *.*.* *llows R**l**t** XSS on t** lo*in *orm *n* *ustom *orms. Silv*rstrip* *orms *llow m*li*ious *TML or J*v*S*ript to ** ins*rt** t*rou** non-s**l*r *orm*i*l* *ttri*ut*s, w*i** *llows p*r*orm

Reasoning

T** vuln*r**ility st*ms *rom improp*r *TML *ttri*ut* s*nitiz*tion in *orm r*n**rin*. T** p*t** s*ows: *. In *orm.p*p, *ttri*ut*s w*r* pr*viously only s*nitiz** *or v*lu*s, not n*m*s. T** *ix *ppli*s *onv*rt::r*w**tt to *ot*. *. In *orm*i*l*.p*p, non-